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Abstract 

This paper revisits the classical notion of sampling in the setting of 
real-time temporal logics for the modeling and analysis of systems. The 
relationship between the satisfiability of Metric Temporal Logic (MTL) 
formulas over continuous-time models and over discrete-time models is 
studied. It is shown to what extent discrete-time sequences obtained by 
sampling continuous-time signals capture the semantics of MTL formulas 
over the two time domains. The main results apply to "flat" formulas 
that do not nest temporal operators and can be applied to the problem of 
reducing the verification problem for MTL over continuous-time models 
to the same problem over discrete-time, resulting in an automated partial 
practically-efficient discretization technique. 



*A preliminary version of this paper appeared in FR06, FPROSa . 
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1 Introduction 

Computer programs are inherently discrete items, and they are typically mod- 
eled through techniques from the discrete mathematics domain. If, however, one 
shifts from a computer-centric to a system-centric view [FMMR10 , physical el- 
ements, which are best described through continuous signals, enter the picture 
and must be taken into account throughout the system development process. 
This is the challenge that is at the core of the research on real-time and hybrid 
systems [HS06 • The challenge has two facets: modeling systems that integrate 
continuous and discrete components and analyzing properties of the integrated 
systems. 

In this article we develop some techniques for the modeling and analysis of 
real-time systems with mixed continuous- and discrete-time components. Our 
approach targets the well-known Metric Temporal Logic (MTL |Koy90, AH93 ) 
as formal notation, and it is is based on the classical notion of sampling. 

Sampling is a widely-used technique in the engineering domain, in partic- 
ular in signal processing and automatic control, whereby continuous-time sig- 
nals are transformed in discrete-time counterparts that are more amenable to 
digital processing [BFOlJ. In systems where continuous- and discrete-time com- 
ponents interact, a sampler constitutes the interface between these two classes 
of components, as it retains some partial information of the continuous-time 
processes and passes it to the discrete-time parts (see Figure [I]) . The classical 



sampling theory determines qualitatively how much information is preserved in 
this discretization process, and when the continuous-time signal can be perfectly 
reconstructed solely from its discrete-time samplings. 

The sampling approach described in this article borrows from these well- 
known ideas, but revisits them in the very different setting of formal modeling 
and analysis of systems with real-time temporal logics Q 

In our approach, the behavior of components is modeled by means of MTL 
formulas. MTL formulas can be given a continuous-time or discrete-time seman- 
tics by interpreting them over sets of continuous- or discrete-time behavior^\ 
respectively (see Section [2] for formal definitions). Accordingly, MTL formu- 
las can model either continuous- or discrete-time components. The problem 
of providing a unified semantics is then solved by introducing simple syntactic 
transformations to be applied to MTL formulas when moving their interpreta- 
tion from continuous to discrete time, or vice versa. These transformations take 
into account the information that is preserved under sampling. That is, given a 
continuous-time formula 0r, its (transformed) discrete-time counterpart 4>w, is 
satisfied precisely by all discrete-time behaviors that are obtained by sampling 

1 Section |5.3| discusses in some detail how the classical notion of sampling and the one 
presented here are related, though different. 

2 Also called (Boolean) signals |MNP06I iHROi] , 




Figure 1: A system with a sampler. 
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the continuous-time behaviors satisfying (fa. Information preservation requires 
however an additional requirement — called non-Berkeleyness — on the sam- 
pled continuous-time behaviors to ensure that they are sufficiently "slow" with 
respect to the speed of the sampling process. 

In summary, the contribution of this article is twofold. First, it introduces 
conditions that allow us to precisely relate the satisfiability of continuous-time 
MTL formulas to that of some suitable, "sampled", discrete-time counterparts. 
Second, it exploits this relation to define an effective, albeit partial, automated 
analysis technique that can be used to prove (or disprove) properties of sys- 
tems with continuous-time components by reduction to the (usually simpler) 
discrete-time case. In this paper we do not deal with aspects regarding its im- 
plementation and performance in practice, which have been dealt with in related 
work |FPR08al lFPR08bl [BFPR09] . Rather, we focus on the mathematical con- 
cepts underlying the relation between continuous- and discrete-time semantics 
of MTL. 

This article is structured as follows. Section [2] introduces the MTL notation 
and its formal semantics, and discusses the expressiveness of some of its signifi- 
cant subsets. Section[3]presents the notions of sampling and sampling invariance 
for MTL, and proves some fundamental results about significant subsets of the 
MTL language that are amenable to the sampling technique introduced before- 
hand, and hence are suitable to define a unified semantics. Section [4] shows how 
the results of Section [3] can be applied to the problem of automated verification 
of continuous-time systems described with MTL. Finally, Section [5] provides an 
overview of related work, focusing on a few well-known approaches that are 
similar to ours; Section [6] briefly concludes. 

Let us remark that the mathematical distinction between continuous and 
merely dense time models does not impact the results of this paper. Accordingly, 
we will essentially use the two terms as synonyms. 

2 Metric Temporal Logic(s) 

The symbols Z, Q, and R denote the sets of integer, rational, and real numbers, 
respectively. For a set S, S^, c with ~ one of <,<,>,> and c£ S denotes the 
subset {s £ S | s ~ c} C S; for instance Z>o = IN denotes the set of nonnegative 
integers (i.e., naturals). 

An interval J of a set S is a convex subset (/, u) of $ with (,« 6 S, { one of 
(, [, and ) one of ),]. An interval is empty iff it contains no points; an interval is 
punctual (or singular) iff I = u and the interval is closed (i.e., it contains exactly 
one point). The length of an interval is given by |/| = max(zt — 1, 0). —I denotes 
the interval (—u,—l), and I © t = t © I denotes the interval (t + l,t + u) , for 
any t € S. For any numbers x, y with y > 0, x ± oo/y is defined to be ±oo. We 
occasionally represent intervals by pseudo-arithmetic expressions such as > x, 
> x, < x, < x, and = x for (x,oo), [x,oo), [0, x), [0,x] and [x,x], respectively. 
For simplicity, we sometimes relax the notation for unbounded intervals and 
represent them with square — rather than round — closing brackets. 
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2.1 Behaviors 

In this paper, T denotes any of the two time domains R and Z. It is not 
difficult to adapt most notions and results to their mono-infinite counterparts 
R>o and IN, and possibly to other dense and discrete sets suitable to represent 
time domains |Koy92| . Also, let V be a set of propositional letters. 

Definition 1 (Behaviors). A (timed) behavior over time domain T and alphabet 
V is a function b : T —> 2 V which maps every time instant t £ T to the set of 
propositions bit) £ 2 V that hold at t. The set of all behaviors over time domain 
T and alphabet V is denoted by BPT. 

b\p is a behavior over alphabet P C V, denoting the projection of b over 
P. For a behavior b over some dense time domain T, let r(6) denote the or- 
dered (multi)set of its discontinuity points, that is r(6) = {x £ T | b(x) 
lim^;,.- b(t), or b(x) ^ lim t _ >x + b(t), or any of the two limits does not exist}, 
where each point that is both a right- and a left-discontinuity appears twice 
in t(6). When T is a discrete set, r(b) is defined to be the time domain T 
itself. If r(b) is discrete, we can represent it as an ordered sequence (possibly 
unbounded to ±00) of elements T\ for i £ I; it will be clear from the context 
whether we are treating rib) as a sequence or as a set. Elements in r(b) are 
called the change (or transition) instants of b. r(b) can be unbounded to ±00 
only if T has the same property. 

Non-Zenoness. Since one is typically interested only in behaviors that rep- 
resent physically meaningful behaviors, it is common to assume some regularity 
requirements. In particular, it is customary to assume non-Zenoness, also called 
finite variability [HR04 . 

Definition 2 (Non-Zenoness). A behavior b € BPT is non-Zeno iff r(b) has no 
accumulation points. The set of all non-Zeno behaviors is denoted by BPT. 

Notice that discrete-time behaviors are trivially non-Zeno. Also, it should 
be clear that every non-Zeno behavior can be represented through a canonical 
countable sequence of adjacent intervals of T such that b is constant on every 
such interval. Namely, for b £ BPF, i(b) is an ordered sequence of intervals 
i(b) = {Ii = (*£»,«»)*} for i £ I such that: 

1. (cardinality of i(b)) I is an interval of Z with cardinality \r(b)\ + 1 (in 
particular, I is finite iff r(6) is finite, otherwise I is denumerable) ; 

2. (partitioning ofT) the intervals in i(b) form a partition of T; 

3. (intervals change at transition points) for alH £ I we have r, = Uj = h+i] 

4. (b constant over intervals) for all i € I, for all t\,t2 £ h we have b(ti) = 
Hh). 

Note that t{b) is unique for any fixed set r(b) or, in other words, is unique up 
to translations of interval indices. Transitions at instants Tj corresponding to 
singular intervals Ii are called pointwise (or punctual) transitions. 
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Non-Berkeleyness. Some of the results of this paper will require a stronger 
regularity requirement than non-Zenoness, named "non-Berkeleyncss" |FPR08a . 

Definition 3 (Non-Berkeleyness). A behavior b E EPf is non-Berkeley for 
8 E R>o iff every maximal constancy interval contains a closed interval of size 
8. The set of all behaviors in BPW that are non-Berkeley for 8 is denoted by 
BPfs'i with the notation introduced above, it is BPI S = {b E BPF | V7 G i(b) : 
3t E I : [t,t + 8] C I}. A behavior that is not non-Berkeley for any positive 8 is 
called Berkeley. 

Any behavior where some proposition holds at an isolated point t is Berkeley: 
any 8 > is such that [t, t + 8] % [t, t]. 

2.2 MTL: Syntax and Semantics 

This section defines formally the syntax and semantics of MTL. 



2.2.1 MTL Syntax 

In this paper only propositional temporal logics are considered; correspondingly, 
the elementary building block of temporal logic formulas is defined. 

Definition 4 (Propositional formulas). Propositional formulas ir £ PL are 
defined by the grammar ir ::= p | | 7Ti A 7r 2 | tt\ V 7r 2 — for p G V — as 
Boolean combinations of propositional letters. 

MTL formulas are obtained by combining propositional formulas with the 
bounded until \Jj metric modality, as well as its past counterpart bounded since 
Sj. We assume a negation normal form (NNF) syntax, where negations are 
pushed down to atomic propositions, as this will simplify the presentation of the 
results. Correspondingly, bounded release Rj and bounded trigger Tj operators 
- duals to the until and since operators, respectively — are introduced as 
primitive modalities. 

Definition 5 (MTL formulas). MTL formulas for a time domain T are defined 
by the grammar: 

4> ::= 7T | fa A 4> 2 | 4>i V (t> 2 | Uj(0i,0a) | Sj^fo) | Rj(0i,0a) | Ti(<h.,<h) 

where n E PL ranges over propositional formulas and I ranges over (possibly 
unbounded) intervals of the time domain T with endpoints in T n Q U {±00} 
(notice that negative endpoints are allowed). 

Henceforth, we will drop interval I in modalities when it is [0, +00). 
The results of this paper are focused on the flat subset bMTL of MTL, whose 
formulas do not nest temporal operators^] 

Definition 6 (Flat MTL formulas). bMTL formulas for a time domain T are 
defined by the grammar: 

<j> ::= 7T I <f> x A <j) 2 I <f>i V (f> 2 \ U J (7r 1 ,7r 2 ) | S J (7r 1 ,7r 2 ) | Rj(7ri,7r 2 ) | ^(ttx,^) 

where 7r, 7Ti, 7r 2 E PL range over propositional formulas and / ranges over (possi- 
bly unbounded) intervals of the time domain T with endpoints in TnQU{±oo}. 

'^Different notions of flatness for (metric) temporal logic have been introduced in the liter- 
ature IDam99l [UUOOl IBMOW07) . 
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In the remainder of the paper, the following other MTL subsets will be 
needed. 

• LTL is the MTL subset where all intervals / are [0, +00) (i.e., all operators 
are qualitative). 

• T-bMTL, with T any given set of MTL formulas, is the MTL subset 
defined by the same grammar as bMTL, except that ir is allowed to range 
over PL U T. 

• An MTL formula is discrete- endpoint if all its intervals have endpoints in 
ZU {±00}. 

• An MTL formula is dense- endpoint if all its intervals have endpoints in 
RU {±00}. It is clear that any MTL formula is dense-endpoint; we will 
use this redundant terminology whenever useful to characterize formulas 
to be interpreted over a dense time domain, as opposed to a discrete one. 



2.2.2 MTL Semantics 

We define MTL semantics parametrically with respect to the time domain T. 

Definition 7 (MTL semantics). Let 6 £ BPW be a behavior over V and time 
domain T. For t £ T, MTL semantics is defined recursively as follows]^] 



b(t) hT P 




iff 


P G b(t) 




&(*) Ht ^p 




iff 


P <jL b(t) 




b{t) Ht 0i 


A 02 


iff 


b(t) |= T 4>i and b(t) \=r 4> 2 




b{t) Ht 0i 


V02 


iff 


b(t) \=t 0i or b(t) |= T 02 




b(t) Ht U z 


(01,02) 


iff 


3d £ I s.t.: t + d e T, 6(t + d) |= T 


02, and 








W € [0, d) ® t n T it is b(t') \= T 0i 




b(t) K Sjl 


',<t>i,<h) 


iff 


3d el s.t.: t - d £ T, 6(t- d) (= T 


02, and 








Vt' G -[0, d) e t n T it is 6(f) h T < 


h 


b(t) Rj 


(01,02) 


iff 


Vd G I s.t. t + d G T it is: 6(j£ + d) 


=T 02 or 








3t' G [0,d)ffitnT s.t. &(*') Ht 0i 




b(t) T z 


(01,02) 


iff 


Vd G I s.t. f - d G T it is: b(t - d) 


=T 02 or 








3f G -[0, d) 8 i n T s.t. b(i') 


1 


If b(t) Ht 


holds for all i £ 1 


' we write 6 0- 





We denote by [0]t (respectively [0]^) the set of all non-Zeno (respectively 
non-Berkeley for S) models of formula cj) over T, i.e., [0]t — {b € BPW \ b |=t 0} 
(respectively [0]^ = {b G SPT^ | 6 |=t 0})- If [0]t is empty, is called 
T-unsatisfiable, and T-satisfiable otherwise. If [0]t coincides with BPF, <fi is 
called T-valid. Similar definitions are assumed for T^-satisfiability and T s - 
validity, with respect to [01^- For b £ BPf, we define the derived behavior 6^ 
that represents the truth value of over b as: 



M*) = 



6(t) U {0} if 6(i) K 
6(f) otherwise. 



For propositional letters a, b, 6 a \ b denotes the behavior obtained from 6 by 
renaming a into b. 



'in this paper, the notation b(t) \=i <j> replaces the more common b,t \=i 
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Notice that MTL is closed under complement, even if this is not apparent 
in the definition of its syntax. More precisely, one can check that b(t) Y=t 
Uj((f)i,(j)2) holds if and only if b(t) |=t R/( _i 0i, ^2) does, thus providing an 
indirect definition of negation. A similar relation holds for since with respect 
to trigger. 

Definition [7] considers the basic modalities in their non-strict versions as, for 
instance, U(<fii, $2) requires <pi to hold at the current instant; i.e., it constrains 
the present as well as the strict future. Also, a global satisfiability semantics is 
assumed, where b <f> entails that <f> holds at all time instants t £ T. This 
is different than the more common initial satisfiability semantics \= 1 ^ lt where 



b Ht'* ^ i s defined as simply 6(0) 4>- Section 2.3 discusses the impact of 
these choices on expressiveness. 



2.2.3 Derived Operators and Variants 

Standard abbreviations are assumed, such as for T, _L, =>, and <^>. 

It is also customary to introduce a number of derived temporal operators; 
those used in this paper are listed in Table [T] Let us remark that the definitions 
of Table [l] do not nest temporal operators, hence they define bMTL formulas if 
their arguments are propositional formulas. 

The first set of derived operators are the quantitative versions of the well- 
known eventually O and globally □ modalities of classic (qualitative) linear 
temporal logic. On the other hand, Alw(0) declares <fi to hold always, i.e., at all 
time instants in the future and in the past, whereas Som(0) declares <j) to hold 
sometimes. 

The second set of derived operators are the nowon Q modality and its 
variant A, with their past counterparts uptonow Q an d A. Over dense-time 
non-Zeno behaviors, Q(4>) holds at t whenever there is a non-empty open in- 
terval E = (0, e) (with e > 0) such that 4> holds continuously over t®E. On 
the other hand, A(0) holds at t whenever 4> holds nowon or <f> holds precisely 
at t. These operators are useful only over dense time, as they can be seen to be 
trivially equivalent to their arguments over discrete time. 

Finally, the last set of derived operators introduce so-called matching vari- 
ants |FR07j of the basic until and release modalities. For instance matching 
until U^(0i,02) requires both arguments <j>\ and tp2 to hold together at some 
future instant, whereas U(0i,</>2) demands only </> 2 to hold at some future in- 
stant. The next section discusses the impact of these variants on expressiveness. 

The value of propositional formulas change at most every S time units over 
non-Berkeley behaviors BPM,s] more precisely the following holds. 

Lemma 8. Let b € BPRs, t € H, and tt £ PL, such that b(t) |=r tt. There exist 
c«, c p £ M with c n ~c p > S and c p < t < c n such that: (1) b(t') |=r tt for all t' £ 
(c p ,c„); (2) b(c n ) hft D ( ,5)(^) v D ( 7r )' and ( 3 ) b (c P ) K tT(o,«) (-«r) V tr(7r). 
If in particular c n — c p — S then also b{c n ) |=r tt and b(c p ) |=k, tt- 

Proof. The proof follows easily from Dcfinition[3j which entails that non-Berkeley 
behaviors b £ BPHs are piecewise-constant functions of time whose discontinu- 
ities are at least 6 time units apart. □ 
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Operator = Definition 

OM ^ U,(T,0) 

^A4>) = Sj(T^) 

□r(0) = Rj(-L,0) 

^/(0) = T/(±,0) 

Alw(0) ^ fe(0)AD(0) 

Som(0) = t^Q) V Q(<ft) 

Q(0) = U >0 (^,T)vHAR >0 (il)) 

0(0) = S >0 (^T)VHAT>o(^l)) 

A(0) 4 0VO(0) 

A(0) 4 0v6~(0) 

Uj(0i,0 2 ) = 11,(0!, 2 A X ) 

St (0i,0 2 ) = S 7 (0i, 02 A 0i) 

Rt(0i,0 2 ) = R / (0i,0 2 v0 1 ) 

Tt(0i,0 2 ) ^ T J (0 1 ,0 2 V0 1 ) 

Table 1: MTL derived temporal operators 



2.3 Relations with Other Metric Temporal Logics 

This section discusses expressiveness, decidability, and complexity results about 
MTL as has been introduced above. 

2.3.1 Expressiveness 

When defining the semantics of MTL formulas, several different choices are 
possible. 

Global vs. initial satisfiability. First of all, notice that initial satisfiabil- 
ity is unambiguous only for mono- infinite time domains |PP04| . For such do- 
mains, it is clear that the global satisfiability semantics can be reduced to lo- 
cal satisfiability, as 6 \=i holds if and only if 6(0) A1w(0) does. Con- 
versely, local satisfiability is also reducible to global satisfiability, as for instance 
b |=r> *tr>o(-L) =>■ 4> is equivalent to 6(0) \=ts, >0 4> f° r the mono-infinite time 
domain R>o, where fcr >0 (_L) holds only at time 0. Therefore the two definitions 
of satisfiability are essentially equivalent for generic MTL formulas. 

However, global satisfiability is significantly more expressive than initial sat- 
isfiability for fiat bMTL formulas [FR07J. In particular, the expressiveness of 
the flat fragment is non-trivial under such global semantics as it corresponds to 
an implicit nesting of a qualitative temporal operator over the simpler initial 
satisfiability semantics. This entails that most common (real-time) properties 
— such as (bounded) response and (bounded) invariance |Koy90| — can be eas- 
ily expressed with flat formulas under the global satisfiability semantics. This 
is the main reason for adopting such a semantics in this paper whose results are 
focused on the flat fragment of MTL. 
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Flat vs. nesting. The syntactic restriction of flatness is also a semantic re- 
striction, i.e., bMTL is strictly less expressive than full MTL. This is the case 
not only for dense time (which has been proved in |FR07p but also for discrete 
time (which has been proved in [EW961 ITW04) lKS05l lD502] already for quali- 
tative temporal logic), and regardless of whether a global or initial satisfiability 
semantics is assumed. 

On the other hand, if we consider the weaker requirement of inter- reducibility 
of the satisfiability problems over global satisfiability, bMTL is as powerful as 
full MTL. In other words, given any MTL formula 4>, it is possible to build a flat 
formula <fi' E bMTL which is globally satisfiable if and only if 4> is. In general, </>' 
"flattens" <fi by introducing additional prepositional letters that are equivalent 
to matching nested sub-formulas in <j), as shown in the following. 

Example 9. Let <f> = p => ^<3(O( n =2( c 0))- Let us introduce the auxiliary 
propositions ai and a 2 defined as equivalent to D =2 (q) and 0( a i) respectively. 
Hence, the derived flat formula 

<t>' = (p^O <3 (a 2 )) A ( ai ^n =2 (q)) A (a 2 ^0(ai)) 
is equi-satisfiable to <j> under the global satisfiability semantics. 

Details of this straightforward idea are shown in |Fur07( IDMP07| for dense 
time models, but it should be clear that a similar result can be proved for 
discrete time as well. 

Let us finally consider dense-time behaviors that are non-Berkeley. In this 
case, the expressiveness gap between flat and nesting formulas still exists [FR07J . 
On the other hand, "flattening" is more intricate and cannot be done as with 
generic behaviors without breaking non-Berkeleyness as shown in the following 
example and discussed at greater length in Section |3.4| 

Example 10. MTL formula ip = Som ^O(^P) A O(p)) describes behaviors 
where there exists a transition of proposition p from false to true, ip is satisfiable 
over non-Berkeley behaviors BPRg for any positive 5. However, consider the 
flattening ip of ip built according to the procedure described above. 

i> = Som(a) A (a & 5(-p) A O(p)) 

Any behavior b E BPR such that b \=-& ip requires a to hold at some instant t. 
However, sub-formula a O(^P) A O(p) forces a to hold only exactly at the 
transition points of p, pointwisely: any such b is Berkeley because OC^P) AO(p) 
holds only at isolated points. Hence, ip and ip are not equi-satisfiable over non- 
Berkeley behaviors for any 5 > 0. 

Strictness and matchingness. The semantics of an until formula with argu- 
ments 0i, 4>2 requires the first argument <pi to hold over an interval J = (0,d)®t 
from current instant t. J can be taken to be open, half-open (with the left or 
right end-point included), or closed. Correspondingly four variants of until are 
possible. Each of them is labeled strict if J is open to the left and non-strict 
otherwise; and matching if J is closed to the right and non-matching otherwise 
[FR07] . The most common variant of the until operator is strict and non- 
matching, as it is simple to see that the three other variants are reducible to 
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it. On the contrary, this paper adopts a non-strict non-matching until as ba- 
sic operator, as the presentation of the results is more natural with non-strict 
operators. 

In related work |FR07j , we proved that all variants carry the same expressive 
power for MTL over dense- and discrete-time behaviors. On the contrary, strict 
until is more expressive than non-strict until for flat bMTL formulas^] 

2.3.2 Decidability and Complexity 

It is well-known that full MTL is undecidable over (non-Zeno) dense-time be- 
haviors [AH93] . The same holds for fiat bMTL as its satisfiability problem is 
inter-reducible to the same problem for full MTL. 

On the contrary, MTL becomes fully decidable over discrete time, with 
EXPSPACE-complete complexity |AH93j . MTL is also fully decidable over non- 
Berkeley dense-time behaviors EPWg for any fixed <5, with the same complexity 
as over discrete time [FR08] . 

3 Sampling Invariance 

Throughout this section we assume R as dense (and continuous) time domain, 
and Z as discrete time domain. It should be noted, however, that nearly all 
definitions and results can be adapted with little effort to work with different 
pairs of dense and discrete time domains as well, most notably the nonnegative 
reals and the naturals. 

3.1 Definitions 

3.1.1 Sampling Functions 

A sampling function is a mapping between dense-time behaviors and discrete- 
time behaviors such that the latter are obtained by "sampling" — in some sense 
— the values of the former. We use <> Zt s to denote a generic sampling function 
that is parametric with respect to a sampling period 5 and an origin z. 

The canonical sampling is a particular sampling function that models an 
idealized sampling process where a discrete-time behavior is obtained from a 
dense-time behavior by observing it at all instants corresponding to integer 
multiples of a chosen period 8. 

Definition 11 (Canonical sampling of a behavior). Let b € BPR be a dense- 
time behavior, 5 € !R>o a positive real, and z £ ft a basic offset. The canonical 
sampling o~ s [b] of b is the discrete-time behavior in BPZj defined by: 

VfceZ: a s Jb] (k) = b(z + kS) 

We call d the sampling period and z the origin of the sampling. Note that a s z 
is onto and total|^]for any S, z. 

5 FR07 proves this for dense-time behaviors, but the same can be seen to hold over discrete- 
time behaviors as well. 

6 That is, it is defined for every b e BPR. 
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Conversely, given a discrete-time behavior d € BPL, c 5 [2] is the set of all 
dense-time behaviors such that their sampling is d. 

ajl[d] = {b€Bm\d = a 5iZ [b}} 
3.1.2 On Dense- vs. Discrete-Time Semantics 

Consider some MTL formula <\> that can be interpreted over both dense- and 
discrete-time behaviors. Its semantics is characterized by its dense-time models 
on the one hand, and by its discrete-time models 14>}z on the other hand. 
These two sets correspond to two different semantics for the same formula. The 
fact that the discrete time domain is a subset of the dense time domain prompts 
us to investigate the existence of a general relation linking the two sets [</>]] r and 
[0]z- More precisely, we seek simple conditions under which elements in l<j)]z 
are precisely those obtained from elements in [0]r by applying the sampling 
function as, z for some (5, z. 

This ideal requirement must be relaxed to some extent to be achievable in 
practice, for a number of reasons that are outlined informally in the following 
example. 

Example 12. There are three fundamental discrepancies between discrete- and 
dense-time semantics that must be accommodated to reconcile them according 
to the notion of sampling. 

The first has to do with differences in terms of time units. Consider for 
instance formula D <2 (p); when interpreted over dense time, it states that p holds 
for 2 time units. If we switch to a discrete-time interpretation and consider a 
sampling period of, say, 5 = 3/10, we would like the formula to refer to the 
same "sampled" interval. Hence, it should be changed to n < 20 /3(p) because 
the dense-time interval of length 2 becomes a discrete-time interval containing 
2/(3/10) sampling instants. 

However, ^ <20 / 3 {p) cannot yet be interpreted over discrete time, as 20/3 is 
not an integer; this shows a discrepancy in terms of granularity between dense 
and discrete sets. Of course, this problem can be solved by rounding the ra- 
tional value to the nearest integer value, by taking its floor 6 or its ceiling 7. 
More precisely, whether to round up or down is decided in order to have a con- 
servative approximation of the semantics. Intuitively, this means that intervals 
in "universal" formulas such as D/(p) are rounded down — thus shrinking the 
interval into a smaller one — , whereas intervals in "existential" formulas such 
as 7 (p) are rounded up — thus expanding the interval into a larger one. 

A similar granularity problem arises when interpreting a discrete-endpoint 
formula over dense time. Consider the example of formula On 2 ] (p) that requires 
p to hold one or two (discrete) time units in the future. In terms of dense-time 
units, p must occur over the interval [5, 25} = [3/10,3/5]. However, the formula 
must hold also in between sampling instants when interpreted over dense-time 
behaviors. We will show that this feature of the dense-time semantics can be 
accommodated by expanding symmetrically the scaled interval into [(1 — 1)5, (2+ 
1)5] = [0,9/10]. 

The last subtlety has to do with the change speed of dense-time behaviors 
with respect to the sampling period. Consider behavior b over proposition p 
such that p holds for less than 5 time units, say over [5/4, 5/2}. Formula Som(p) 
is clearly satisfied by b over discrete time. However, any sampling a s [b], for any 
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z G (—6/2, 6/ A) U (5/2, oo), does not have any sampling instant within [5/4,5/2], 
and formula Som(p) is not satisfied by any such cr 5 ^[&]. This shows that only 
dense-time behaviors where state changes are sufficiently sparse can guarantee 
that formula satisfaction is preserved while moving to a sampled discrete-time 
semantics. 

The discrepancies outlined above are bridged by introducing suitable notions. 
The concept of slowly-changing behavior is captured by the non-Berkeleyness 
constraint, introduced in Section |2.1| The following notion of adaptation func- 
tion formalizes instead changes to intervals in MTL formulas, which take dis- 
crepancies between time units and granularities into account. 

Definition 13 (Adaptation). A R-io-Z adaptation is a mapping from dense- 
endpoint to discrete-endpoint MTL formulas; a Z-fo-R adaptation is a mapping 
from discrete-endpoint to dense-endpoint MTL formulas. 

3.1.3 Sampling Invariance 

We can finally introduce the definition of sampling invariance over non-Berkeley 
behaviors, which captures appropriately a notion of equivalence under sampling 
of models of MTL formulas. 

Definition 14 (Sampling invariance). Let </> be an MTL formula over alphabet 
V; v n , u z a R-to-Z and Z-to-R adaptation, respectively; 5 a sampling period; 
and <;s,z a sampling function. 

• (j> is closed under sampling (c.u.s.) iff for any non-Berkeley behavior b G 
BPELs and any origin z: 

be mi implies !«, 2 |e[« E iz 

• <j> is closed under inverse sampling (c.u.i.s.) iff for any discrete-time be- 
havior b G SPZ and any origin z: 

b G [</>]z implies W G [&] n BPR S it is b' G [u z [</>]]^ 

• <fi is sampling invariant (s.i.) iff it is c.u.s. if it is a dense-endpoint formula 
and it is c.u.i.s. if it is a discrete-endpoint formula. 

Definition [14] depends on several parameters: R-to-Z and Z-toR adapta- 
tions, a sampling period 5, and a sampling function s$,z- In the following we 
will use the expression "sampling invariance (c.u.s. or c.u.i.s) with respect to" 
to highlight a particular choice for the parameters (when they are not obvious 
from the context). 



3.2 Illustrative Examples 

Before delving into the technical details of sampling invariance for generic MTL 
formulas, this sub-section illustrates the fundamental ideas that underlie the 
results of the paper. The presentation is deliberately partly informal and based 
on examples, with the goal of stimulating the intuition that substantiates the 
choice of adaptations (in Section 3.3.1 ) and the rationale of the technical proofs 
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(a) Behaviors ci,d± 
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(b) Behaviors C2,d2 
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(c) Behaviors C3 , d$ 
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(d) Behaviors C4 , CZ4 
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(e) Behaviors C5 , d$ 



1 a; 2 3 

(f) Behaviors cg,dQ 



Figure 2: In all the pictures, the behavior of p is pictured by solid lines (in 
dense time) and discs (in sampled discrete time); the behavior of q is pictured 
by dotted lines (in dense time) and circles (in sampled discrete time) ; the higher 
value in any behavior corresponds to a T truth value; for i = 1, . . . , 6, Cj denotes 
the dense-time behavior and its discrete-time sampling. 
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(in Section 15). In all the examples of this sub-section, we assume a sampling 
period 5 = 1. 

The first example demonstrates the need for non-Berkeley behaviors with 
the same S as the chosen sampling period. Consider formula Oj 2 5 i(p) and the 



behavior for p in Figure 2(a) Oj 2 5 i(p) holds everywhere in dense time, but p 
keeps on switching truth value in such a way that it is false at every sampled 
instant. If the sampling period is not commensurate to the "speed" of the dense- 
time behavior there is always the possibility of similarly twisted behaviors which 
prevent achieving c.u.s. even for very simple formulas. This justifies using the 
same S for the non-Berkeley behaviors BPRs and the sampling function t;g tZ . 

If we assume such a constraint on the behaviors considered, c.u.s. is straight- 
forward for "existential" — that is "eventually" — formulas. Consider again 
formula 0^ 2 5 ](p) and the behavior for p in Figure 2(b) It should be clear that 
c 2 l = ^[2 5](p) because p holds at least once in any closed interval of length 3. 
It follows that the same holds for the discrete-time sampling d,2 of c%. In fact, 
consider any interval / of size 3 with integer endpoints and an instant within / 
where p holds. Non-Berkeleyness entails that p holds until the next sampling 
instant, since the previous sampling instant, or both. Hence, it reaches a sam- 
pling instant that fits the interval I over discrete time, which satisfies formula 
Or 2 5 ](p) over discrete time. This can be generalized to show that no change in 
the time interval is required for existential formulas when passing from dense- 
to discrete-time interpretations — except for scaling the units according to the 



sampling period. As a concrete example in Figure 2(b) evaluate ^ 2 5](p) a ^ 
— 1, which references the dense-time interval [1,4]. Consider the instant be- 
tween 1 and 2 marked with a cross where p holds; p also holds since 1, which is 
a sampling instant that belongs to the discrete-time interval [1,4]. 

A similar reasoning works for "universal" — that is "always" — formulas, 
such as q => n, 2 „ (p). Behavior c 3 in Figure 2(c) is such that c 3 |= q => n p 5] (p)> 
in particular p has to hold over the dense-time interval [1,4]. Over discrete-time, 
sampled values of p have to hold over the discrete-time interval with the same 
endpoints, which is obviously the case. Again, this generalizes to universal 
formulas, which do not require changes in the time intervals when adapting 
them from dense- to discrete-time interpretations. 

Things are more convoluted for c.u.i.s., which mandates changing the size 
of the intervals according to the type of formula — existential or universal. 
Let us consider again the existential formula ^[ 2 5](p); it holds everywhere in 



the discrete-time behavior d.4 in Figure 2(d) If, however, the same formula is 



interpreted over the dense-time behavior C4, of which is a sampling, it does 
not hold everywhere. In particular, it holds at —2 and —1 but it does not hold 
in the open interval (—2, —1): see the cross mark and the corresponding interval 
of size 3 starting between and 1. The problem here is that non-Berkeleyness 
is a constraint on speed, not synchronization: the two samplings of p at and 
4 record the value of the dense-time behavior C4 respectively right before and 
right after 4, hence leaving it unconstrained in the open interval (0, 4) of size 
larger than 3. The "interval of uncertainty" is never larger than one sampling 
period on each side, hence we suggest to introduce an Z-to-R adaptation that 
grows intervals in existential formulas by this amount, thus accommodating the 
uncertainty in the worst case. In the example, the adapted formula is On 6 i(p) 
which clearly holds everywhere over C4. 



15 



The dual reasoning suggests the adaptation for universal formulas such as 
q Dp 5 i(p). In Figure 2(e) the formula holds everywhere over discrete time. 
Over dense time, however, q holds shortly before —1 (see cross mark) but p 
does not hold everywhere in the corresponding interval of size 3 starting shortly 
before 1. Again, a weaker formula holds over dense time, obtained by shrinking 
intervals in universal formulas by one sampling period on each side; the Z-to-R 
adaptation has to implement such a modification. In the example, the adapted 
formula is q □ j 3 4 i (p) which clearly holds everywhere over C5. 

In order to rigorously extend the informal reasoning so far to arbitrary flat 
MTL formulas, we have to combine "eventually" and "always" formulas with 
the binary until and release modalities. Let us demonstrate the intuition behind 
handling the former which turns out to be more intricate. Consider a qualitative 
formula U(q,p) and the behavior in Figure [2(f) | let x denote the time instant 
between 1 and 2 marked with a cross and assume that p holds, in particular, 
precisely at x. Then, the until formula U(q,p) holds continuously over the 
interval (— 00, 1] in dense time (and beyond up to x). Correspondingly, the 
same formula holds over the discrete interval (—00, 1] in discrete time. This 
suggests that until formulas are c.u.s., as we will demonstrate formally in the 
rest of the paper. 

Closure under inverse sampling is, again, more problematic. Consider the 
same formula U(q,p) and the same discrete-time behavior de; we have seen 
that the until formula holds over the discrete interval (—00, 1] in discrete time. 
Take a slightly different dense-time behavior, one where p is false and q is true 
at x and everything else is as in cq] let us name c' e this modified behavior. 
Obviously, de is a sampling of c' 6 as well as cq. However, U(q, p) does not hold 
anywhere in (—00, 1] over c' 6 because p becomes true left-continuously at x, 
which is incompatible with the dense-time semantics of until. In this case, the Z- 
to-R adaptation will have to replace the second argument p of the until formula 
with the weaker A(p) which holds at x in c' 6 (as well as in cq). Alternatively, 
no adaptation is needed if we consider the stronger matching variant of until 
U^(q, p), where p and q would have to hold together at 1 or 2 in discrete time. 

The following sub-sections present rigorous proofs of s.i. of MTL formulas 
that build upon the intuition behind the examples in the present sub-section. 



3.3 Sampling Invariance for MTL 

This section provides a proof of the following fundamental result: there exist 
two suitable regular adaptations rjf,rjf such that bMTL is s.i. for the canonical 
sampling a s . In addition, the adaptations can be proved to introduce minimal 
changes in the intervals of the adapted formulas, in the sense of Theorems [IT] 
and [18] below. 
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3.3.1 Canonical Adaptations 

Consider R-to-Z adaptation 77*, parametric with respect to positive real pa- 
rameter 8, defined inductively as follows. 
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Consider Z-to-R adaptation rjf, parametric with respect to positive real 
parameter 8, defined inductively as follows Q 
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The proof of Theorem [15] will show that the asymmetry in the adaptation for 
until (and since) operators is needed to reconcile the non-matching semantics 
over discrete and dense time. Alternatively, one can assume discrete-endpoint 
until (and since) operators in their matching variant (see Table [I]) which pre- 
serves the symmetry in the adaptations. We include them explicitly in the 
treatment also because they will be useful for the results of Section |4j 
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We name r/f and r]f canonical adaptations. 



7 The restriction to closed intervals is clearly without loss of generality over discrete time. 
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3.3.2 Flat MTL is Sampling Invariant 



The main result of the paper is now proved. 

Theorem 15 (Sampling invariance of bMTL). Let 6 > be any sampling period 
and z be any origin. All flat bMTL formulas are sampling invariant with respect 
to the canonical adaptations rffi,r]f and the canonical sampling function o~ s . 

Proof. The proof is split into two parts: first we show that any dense-endpoint 
flat formula <f> is c.u.s.; then we show that any discrete-endpoint flat formula <f> 
is c.u.i.sjf] 

Let us introduce the following abbreviations: for a dense-time instant r, let 
f2(r) denote the sampling instant z + [(r — z)/S\6, which is immediately before 
or exactly at r, and let O(r) denote the sampling instant z + \(r — z)/5~\5, 
which is immediately after or exactly at r. Also, oj(r) and o(r) denote the 
distances between r and its previous and next sampling instant, respectively; 
that is ui(r) = r — Cl(r) and o(r) = O(r) — r. Obviously w(r),o(r) > 00 

(Closure under sampling). Let <j> be a generic dense-endpoint flat MTL 
formula, b a dense-time non-Berkeley behavior in and <f>' = rjf^ [<f>]. Then, 

let b' be the sampling o~ s [b] of b with the given origin and sampling period. 

For a generic sampling instant t = z + kS, we show that b(t) |=r (j) implies 
b'(k) </>', by induction on the structure of <p. This proves that if b |=]r <f> then 
Hz 7 7f[^]) f° r an y b e SPRi; hence any bMTL dense-endpoint formula is 

c.u.s. 

• 4> — 7r, 4> — 0i A ^2, and <f> = fa V fa are straightforward from the 
definitions. 

• = U^(7ri,7r 2 ). fa is V [V ul] {iii, n 2 ), with V = \_l/8\ and v! = \u/S\. 

Let d be a real in (I, u) such that b(t + d) \=jh TT2 and, for all e € [0, d), it 
is b(t + e) \=n 7Ti. Since b in non-Berkeley, there exists & p £ [0,(5] such 
that for all / E [—p, — p + S] it is b(t + d + f) \=t& tt2', i.e., tt2 holds over 
I = [t + d — p, t + d — p + 5]. Some sampling instant must fall within /, as 
/ has size 5. 

In particular, it is either p > ui(t + d) or — p + S > o(t + d): otherwise it 
would be S = p + (-p + S) < u(t + d) + o(t + d) = 0(t + d) - Q(t + d) = 
S(\(t + d— z)/S\ — [(t + d — z)/S\) < 5, a contradiction (where we exploited 
the property: |Y] — [rj — 1 f° r an y rea, l r )- ^ ^ ^ e the sampling 
instant: 



It is not difficult to check that (t' — t)/S € [£',?/]. In fact: 

- ifp > uj(t+d), thenf-t = Q(t+d)-t = S([(k5+d)/S\~k) = 6[d/5\. 
Recall that d € (l,u), and then a fortiori d G [l,u] D (l,u). So 
d/Se [l/5,u/S], and (t'-t)/5= [d/S\ e [[l/5\ } [u/S\] £ [l',u']. 



°For brevity we omit dealing with past operators, as it can be done from the corresponding 
future operators with little effort. 

9 This proof exploits some properties of the floor and ceiling functions. We refer the reader 
to IGKP941 for a thorough treatment of these functions. 




il(t + d) \ip>u(t + d) 
0(t + d) otherwise 
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- ifp < w(t+d), then f-i = 0(t+d)-t = $(r(jfe<H-d)/<$l -*0 = W^l- 
Recall that cZ G (l,u), and then a fortiori d G [Z,u] D (l,u). So 
rf/(5e [l/8,u/S\, and {t 1 -t)/8 = \d/S\ G [ [Z/<5] , K<5] ] Q [Z'X]. 

In all, fe(t') 7r 2 . By inductive hypothesis, it follows that for cZ' = 
{? -t)/8 it is b'(k + d') \= z tt 2 , and <f G [Z'X]. 

Let us now show that for all integers e' € [0, cZ' — 1] it is 6'(fc + e') |=z tti- 
Recall that cZ' < |~d/<5] < d/<5 + 1, since [~r] < r + 1 for any real number r; 
hence <5(gJ' — 1) < 5(d/5) = d. Since for all e € [0, d) we have b(t+e) |=r 7Ti, 
and since [0, <5(c?' — 1)] C [0,d), a fortiori for all e € [0,<5(d' — 1)] it is 
b(t + e) |=r 7Ti. By inductive hypothesis, it follows that for all integers 
e' G [0,d'-l] = [0,d') it is 6'(fc+e') ""l- We conclude that 6'(fc) </>'• 

• (j> = u ^ (7ri, 7r 2 ). 0' is R^ ; , u ,j (7Ti, 7r 2 ), where Z'X depend on whether 
7 = (Z, u) is closed, open, or half-open. 

Let d' be a generic integer in (Z'X)i we show that b'(k + d') \=% ir 2 or 
there exists ae'e [0, cZ') such that b'(k + e') \=% -K\. First we show that 
(l',u') C (1/5, u/S). In fact, consider the four possible cases for interval 
/' = <!',«'). 

- / = [Z,u], so I' = [r,u'}, where Z' = \l/8] and u' = [u/S\. Thus, 
[Z'X] C [Z/£, u/5], as |_?~J < r and [Y] > r for any real r. 

- J = [l,u), so J' = [l',u'), where Z' = [Z/£] and u' = \u/S\. Thus, 
[Z'X) C [l/5,u/S), as [Z'X) = [[//<$!, r«/<$l - 1] C [l/S,u/S), noting 
that [r] > r, and that [r] — 1 < r, for any real r. 

- / = (Z,m], so J' = (Z'X], where Z' = [Z/<5J and u' = [w/<5J. Thus, 
(Z'X] C (l/5,u/S\, as (Z'X] = [LZ/5J + 1, [u/tfj] C (l/S,u/S\, noting 
that [rj < J", and that L?~J + 1 > r, for any real r. 

- J = (l,u), so /' = (Z'X), wh ere I' = [l/S\ and v! = \u/S\. Thus, 
(Z'X) C {l/8,u/5), as (Z'X) = [\l/8\ + 1, - M c (*/<W*)> 
noting that |_?~J + 1 > r, and that [Y] — 1 < r, for any real r. 

In all, ^r 7r 2 or there exists a e G [0, 8d') such that 6(i+e) \=r tt\. 

If the former is the case, b'(k + d') \=% n 2 holds by inductive hypoth- 
esis, which fulfills the goal. If the latter is the case, we have b(t) |=r 

^[o,^')^ 1 ) = U [o,<5<i')( T ' 7ri )' which entails b '( k ) ^[o.d')^ 1 )- There- 
fore, there exists a e' G [0, d') such that b'(k + e') \=% 7Ti, as required. 

(Closure under inverse sampling). Let us first introduce the following 
terminology; for any dense-endpoint formula ip: 

• if b(t) Hr □<«(^) (resp. b(t) |=r tT<4(^)), V "shifts to the right (s.t.r.) 
at f" (resp. "shifts to the left (s.t.l.) at i"); 

• if 6(t) hR U =c (V>, A(^V)) (resp. b{t) |= R S =C (V, ^HO)) for some c G 

(0,5), or b(t) f= R V A OH^O (resp. 6(0 Hr V> A S(X0) and c = 0, V 
"turns false in the future (t.f.f.) at t X- c" (resp. "turned false in the past 
(t.f.p.) at t^r c"). 
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Let 4> be a generic discrete-endpoint flat MTL formula, b a discrete-time 
behavior in [0]z, and 4>' — ryf '[(/)]. Then, let b' be a dense-time non-Berkeley 
behavior in BPRs such that c 5z [6'] = b with the given origin and sampling 
period. 

For a generic sampling instant t = z + kS, in the remainder we show that: 
(1) b'(t) |=k (/>'; (2) 0' s.t.r. at i, or there exist c G [0,5) and tn € PL such that 
0' and w both t.f.f. at t ^ c, or 4>' is false at t + 5; and (3) either 4>' s.t.l. at i 

or there exist c S [0, S) and to € PL such that 0' and w both t.f.p. at £ —r c. 

From these three facts we can prove that (j> is c.u.i.s. by showing that b'(t) \=r 
<f)' for all ( 6 R. First, (1) shows this fact for all t = z + k6 for some integer 
k. Then, let t n = t + 6 and show that 4>' holds over the generic 5-length closed 
real interval [t,t n ]. If s.t.r. at t or it s.t.l. at t n , we are done. If 4» is false 
at t + 6 = z + (k + 1)6 we have a contradiction which also closes the proof. 
Otherwise, from (2) and (3) we assume that: (a) <j)' t.f.f. at f ^ c p for some 

c p e [0, 6) with some vo p € PL; and (b) 4>' t.f.p. at t n —r c n for some c„ € —[0, S) 
with some w n £ PL. Note that \(t n + c„) — (t + c p )\ = \5 + c n — c p \ < 5; non- 
Berkeleyness of b' € BPRg entails that either the two change points t + c p and 
tn + Cn coincide or c„ = c p = 0. In both cases Lemma [H] implies a contradiction 
which closes the whole proof. We remark that the proofs go through also for 
intervals of temporal operators with negative endpoints, possibly with minimal 
adjustments that we do not discuss explicitly for the sake of brevity. 
Finally, we prove (1), (2), and (3) by induction on the structure of <fi. 

• (j) = 7T. (1) From the definition of a s z , it follows that b'(t) — b(k). 

(2) Consider Lemma [s] at t: there exist c„ > t such that 7r t.f.f. at t c„ 
or it holds indefinitely in the future. If the latter is the case, it obviously 
s.t.r. (3) is proved similarly as (2), with respect to the past. 

• 4> — 4>i A 4>2 and 4> = 4>± V <j)2 are straightforward from the definitions. 

• = U [/,u]( 7r i' 7r 2)- <j>' is U (/ , u/) (tti, A(tt 2 )), with I' = (I - 2)6 and v! = 
{u + l)5. 

(1) Let us start by proving b'(t) |=n ip with tp = Ur^_ x ^ u5 , (tti, 7^). This 
implies b'{t) |=ir, 0', as [(/ — 1)<5, uS] C {l' 7 u') hence i/> is stronger than 
Proving a stronger formula will be necessary in steps (2) and (3). 

Let d £ [I, u] be the integer time instant such that b(k + d) \=% 7T2, which 
exists by hypothesis. The case d = is trivial, hence let us consider 
d > 0. Still by hypothesis, for all integers e € [0,d) = [0,d — 1] it is 
b(k+e) 7Ti. By inductive hypothesis, for all real 5-multiples e' € [0, dS) 
it is + e') |=k, 7Tx- If + d5) \=r tti as well, let d' = dS; otherwise 7Ti 
t.f.f. at some t' X with i + (d - 1)6 < t' < t + dS and let d' = t! - 1 > 0. 
Notice that d' € [(Z — 1)<5, t/<5] . Correspondingly, 7Ti holds over [0,d')®t. In 
addition, a little reasoning should convince us that Lemma[8]for tt2 at t+dS 

— also considering the fact that tti t.f.f. at t' —r unless it holds at t + dd 

— implies that 7r 2 must hold over (d' , d<5] © t; hence 6'(t + d') \=r A(7T2). 

(2) Let s be any value in (0,6). Let c = e?' — s: notice that c € (l',u') 
because c > d' — <5 > — 1)<5 — 6 = 1' and c < d! < u5 < u'. Since 
t + s + c = t + d! we have already shown that b'(t + s + c) |=r A (7^). 
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Moreover, [s, s + c) c [0, d') thus + s + f) |=r 7Ti holds a fortiori for 
all / € [0,c). All this proves <f>' s.t.r. 

(3) Let / be any value in -(0,(5). For d" = d' - f we have d" € [(/ - 
1)5, (u + 1)6) and + / + d") |=r A(-7r 2 ). Also, by inductive hypothesis 
either ni t.f.p. at t —r c for some c S [0, 6) or 7Ti s.t.l. In the latter case, 
<fi' s.t.l. as well; in the former case, 4>' t.f.p. at t —r c as well. 

• (f> = Rr J)U , (7Ti, 7r 2 ). 0' is Rj ; , u ,j(7Ti, 7r 2 ), with Z' = (7 + 1)6 and u' = (u— 1)6. 

(1) Let us start by proving b'(t) |=r ^ with ^ = R^ s „ (tti, 7r 2 ). This 
implies 6'(i) |=b. </>', as [W, u5] D [/', u'] hence i/> is stronger than <f>'. Proving 
a stronger formula will be necessary in steps (2) and (3). 

Let d' be any real value in [16, u8]; we prove that b'(t + d') \=-r 7r 2 or 
b'(t + e') |=k tti for some e' £ [0, d'). We discuss two cases. 

— If t + d' is a sampling instant, d = g?'/<5 is an integer, and d £ [l,u]. 
Also, by hypothesis, b(k + d) |=z 7r 2 or b(k + e) \=% 7Ti for some 
integer e S [0,d — 1]. In the former case, b'(t + d') \=r ir 2 follows 
by inductive hypothesis. Otherwise, b'(t + e') (=k 7Ti for e' = e6 and 
e' € [0, d! — 6] C [0, d'), also by inductive hypothesis. 

— If f + d' is not a sampling instant, let p' = d' — u(t + d') and n' = 
d! + o(t + d'); these are both integer multiples of 6. Notice that 
p' > d! - 5 > 16 - 6 = {I - 1)6, and ri < d' + 6 < u8 + 6 = (u + 1)6. 
Therefore, the two integers p = p'/6 and n = n'/6 are such that 
p,n £ [l,u]. Hence, from the hypothesis b(k) |=r 0, one of the 
following two cases holds. 

* b(k+p) \=i, 7r 2 and b(k + n) \=% 7r 2 , with n = p+1. By inductive 
hypothesis, b'(t + p') 7r 2 and b'(t + n') tt 2 follow. Since 
b' £ BPKs is non-Berkeley by hypothesis, 7r 2 holds over the whole 
real interval [t+p' ,t+n'] = [t+p', t+p'+S] as well. In particular, 
b'(t + d') ^ R 7T 2 for d' £ [p',p' + 6]. 

* b(k + e) \=% 7Ti for some integer e £ [0,p — 1] or e £ [0, n — 1]. 
From (p - 1)6 < (n - 1)6 < (d' + 6) - 6 = df, it follows that 
e' = 6e £ [0, d'). b'(t + e!) |=h 7Ti holds by inductive hypothesis. 

In all, b'(t) |=r -0 is established. 

(2) Let / be any value in (0,6) and d" be any real value in [2', it']. Since 
d" + / e [/<5, u5], we already proved that b'(t + d" + /) |=jr. 7r 2 or 6'(i+c) |=e, 
7Ti for some c € [0, d" + f). 

If, for all d" , the stronger fact that &'((£+/) +d") |=r 7r 2 or b'(t + c) |=b 7Ti 
for some c € [/, d" + /) C [0, d" + f) holds, then we have proved that (/)' 
s.t.r. at t — because t + c = t + f + (c — f) and c~ f £ [0, d"). 
Otherwise, there is some d" such that: (a) b'((t + f) + d") |=r ^7r 2 ; (b) 
b'(t + d) = b'((t + f) + (d - /)) Hi -tti for all d £ [/, d" + /); and (c) 
b'(t + c) \=r 7Ti for some c £ [0, /). Let v be the smallest instant in [0, /) 
such that A(^7Ti) holds at t+v; this exists because b' is non-Zeno. Lemma 

[^entails that n\ holds over interval [0, v)®t, and -k\ t.f.f. at t v. Hence, 
it can be seen that cj>' t.f.f. at t —r v as well. 
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(3) Let s be any value in —(0,5) and d be any real value in [V 1 u'\. Since 
s + d € [lS,uS], we have already shown that b'(t + (s + d)) |=r 7r 2 or 
b'(t + e') |=b, 7Ti for some e' G [0, s + d). In both cases it follows that 
(f)' s.t.l. at t, in particular as e" = e' — s with e" € [— s, d) C [0,<i) and 
t + e' = (t + s) + e". 

• 0=Uf Jitl] (7ri,7r2). 

Proof is all similar to the case of the "standard" until with the simpli- 
fication that matchingness allows us to establish the stronger b'(t) 

Ujw,^ 71 " 1 ' 71 " 2 ) in P art C 1 )- D 



3.3.3 Canonical Adaptations are Optimal 

Let us provide some justification for the particular choice of canonical adapta- 
tions. In principle, more complex transformations could be devised such that 



Theorem 3.3 still holds. However, we aimed at introducing adaptations that 
change the structure of the formulas as little as possible, such that the trans- 
formed formulas are "essentially the same" as the original formulas, except for 
some adjustments required to bridge the gaps in terms of time units and gran- 



ularity (see Example 12 ) 



In a nutshell, adaptations should preserve the prepositional and modal struc- 
ture of a formula as much as possible. To formalize this intuition we introduce 
the notion of regularity. 

Definition 16 (Regularity of adaptations.). Let 0i,</>2 any pair of MTL for- 
mulas and a modality. An adaptation v is: 

• Compositional if it satisfies v[<pi I </> 2 ] = v[(f>i] I f [^2] for any ; G {A, V}. 

• Propositional-preserving if v[p] = p for any p 6 V . 

• -modality-preserving if, for any interval /, ^[0^(^)1, (^2)] = 0/'(i ; [ ( / ) i]j u [02])- 

An adaptation is -regular if it is compositional, propositional-preserving, and 
O-modality-preserving. An adaptation is regular when it is O-regular for every 
modality G {U,S, R,T}. 

Canonical adaptations rjf,rjf are regular for all modalities, with the ex- 
ception of rjf which is not U-modality-preserving for the non-matching variant 
of the until modality. A U-modality-preserving Z-to-R adaptation, however, 
would not achieve sampling invariance: as noted in Section [3.3. 1[ the matching 
semantics is the most natural choice to bridge the discrete- and dense-time se- 
mantics. Furthermore, canonical adaptations are the "best" among all possible 
regular sampling-invariant adaptations, in the sense that the adapted intervals 
are as constraining as possible. This should be intuitively understandable al- 
ready from the proof of Theorem |15[ which would not stand if we introduced 
any relaxation in adapted interval bounds. More formally we have the following. 

Theorem 17 (Optimality of rj^). Let v R be a regular M,-to-1i adaptation such 
that any flat dense- endpoint (p G bMTL is c.u.s. with respect to it and o~ Sz . 
Then, d \=z T]f'[(j>] implies d \=z u R [</>] for any behavior d G BPL. 
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Proof. The proof relies on techniques very similar to those of Theorem[l5j hence 
only a proof sketch is provided. 

The proof goes by contradiction: let v n be a R-to-Z regular adaptation 
such that there exist (j> G bMTL and d G BPZ with d ^ z rjf{4>] but d ^= z v R [(j)]. 
Then, we build d € 6PR, 5 and C € bMTL such that d \= K C, e^Jc'] ^[CL 
but cr (j2 [c / ] [£z ^ R [C]> hence C is not c.u.s. with respect to v R and a s z . 

Let fc€Zbe such that d(fc) u K [<f>], while recall that d(fc) hz ?7 R [</>]• The 
prepositional structure of ?y R [0] and is the same, since both adaptations 

are regular. Then, by induction on the same propositional structure of 77* [0] 
and v [4>]> one can show that there exists a modality G {U, R, S, T} such that 
d(k) »?4 , [0 I (7ri,7T2)] and d(k) Y=i w B -[0 J (7ri, 7r 2 )] for some 7ri,7r 2 G PL. Let 
us write J (/3 1 ,/3 2 ) for ryf [Ojfa, 7r 2 )], and K ( 7l , 72 ) for ^[O^Tn, tt 2 )]. The 
proof goes on by case discussion on the modality 0; for brevity we just show 
the case = U, but the remaining cases can be handled all similarly. 

Let i be one of 1,2. From the definition of rrf- and the regularity of u R , it is 
fii = 7^ = 7Tj. In all, there exists a u G J s.t. d(fc + u) \=% 7r 2 and d{h) \=% m for 
all h G [0,u) A:. Since we are assuming that d(k) Y=-% \} K (^i, 72), it must be 
u ^ K, so either If C (—00, u — 1] or K C [u + 1, +00). The remainder assumes 
If C (— 00, u — 1] and u > 1; the other cases can be handled along the same 
lines and are omitted for brevity. 

The next step builds a new formula ip = (Jj(y,z) with fresh propositional 
letters y, z; and a new discrete-time behavior e over {y, z} defined as follows: 
z € e(j) iff j > k + u 7 and y G e(j) for all j G Z. It follows that e(fc) Uj(y,z) 
but e(fc) |^=z U K (y, z) because maxA - < u. Also notice that 77* [<p] = Uj(y,z) 
and t> R [<^] = U K (y, z). Take a c built as follows: z G c(t) i&t>z + (k + u — 1)5 
and y G c(t) for all t £ R. It should be clear that c G BPRg, c G cr^[e], and 
c(z + kS) \=r U J (y,z) = <p, because z holds to the right of z + (k + u — 1)5 
but is false before and at it (over z + 5(k © K)). In addition, one can see that 
c{t) \=r <p holds for all f > z + kS. 

The last step is as follows: let us build a new non-Berkeley dense-time 
behavior d G BPRs over propositions in {y,z} U {x}, i.e., the same propositions 
as c plus a fresh one denoted by x. d\p is identical to c, whereas x G c'(i) 
iff c(t) ip; hence in particular d(z + kS) <p A -ix. Notice that such d 
is non-Berkeley for S. Finally, consider formula ( G bMTL defined as x V <p. 
Clearly, d \=m, C is the case by construction; hence cr 5z [c'] \=% r/f[(] follows 
Also, <r Sjs [d] (k) v K [ip] as the truth of <p does not depend 
(k) v R [x] as the regularity of tj b implies v K [x\ = x and 



from Theorem 
on x; and o s z [ 
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d(z + kS) ^ R x. In all we have d |=r <r s , s [d] b=z vf[C], and a s Jd] b^z v R [(}. 
Hence, c.u.s. does not hold for formula £ with respect to adaptation v and o~ s z , 
which is the desired contradiction. □ 

With a very similar approach the following theorem about rjf adaptation 
can be proved. 

Theorem 18 (Optimality of regular rjf). Letv z be a regular Z -to -R adaptation 
for all modalities U^,S^, R,T such that any discrete- endpoint <j> G bMTL using 
only modalities in {U^,S^,R,T} is c.u.i.s. with respect to it and o~ s . Then, 
c \=tr. TlfWl implies c |=r w z [</>] for any behavior c G BPKs- 
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3.4 Generalizations 



Theorem 15 proved that bMTL is sampling invariant. We claimed previously 
that bMTL is an MTL fragment of significant expressiveness; the specification 
examples in [FPR08a, FPR08b demonstrate this in practice. Nevertheless, we 
are still interested in investigating to what extent Theorem [15] can be general- 
ized to larger classes of MTL formulas. More precisely, given that Theorems 
17 and 18 showed that canonical adaptations are optimal, we look for larger 



MTL fragments that arc still sampling invariant with respect to 77^ and rjf. 
Thus, henceforth sampling invariance will always implicitly refer to sampling 
invariance with respect to 77® and rjf. 

Let us start by illustrating the rather apparent fact that, for any sampling 
period 5, there exist MTL formulas that are not s.i. with respect to 6. 

Example 19 (A formula not c.u.s.). For an arbitrary sampling period S, let 
us consider formula ipg = Som(n <(5 (p)) and show that it is not c.u.s. with 
respect to 6. Consider any c £ BPfils such that p £ c(t) iff t £ V for some 
interval V such that 5 < \V\ < 25; clearly, c |=k ip6- However, for any z such 
that S + z + 5 [(inf V — z)/S\ > sup V, p holds at one unique sampling instant 
over cr i5z [c] (see Figure [3]). Hence, cr 5z [c] |^=z vfbPs]: where r]f[ips] corresponds 
to Som(n <:L (p)) , because □ <1 (p) requires p to hold over two adjacent time 
instants. From the fact that the choice of origin z is arbitrary in the definition 



of sampling invariance (Definition 14 1, it follows that ipg is not c.u.s 



V 



inf V j sup V 



Figure 3: Behavior c and its sampling a s [c]. 



3.4.1 Shiftable Formulas 

Examples [19] and [lO] suggest a straightforward criterion to identify non-fiat MTL 
formulas that are c.u.s.: if non-Berkeleyness can be "lifted" from propositional 
letters to the truth value of some nested sub-formula A, then the nesting formula 
containing A as a sub-formula can be flattened to one that is equi-satisfiable 
over non-Berkeley behaviors and does not introduce additional constraints. To 
formalize this notion, we introduce the following p°] 

Definition 20 (e-shiftability) . Formula <f) is e-shiftable, for some positive real 
e, iff bfj, £ BPK e holds for all b £ BPK e . If <f> is e-shiftable for any e, it is called 
shiftable. 

Shiftability provides a straightforward condition to determine larger MTL 
subsets that are c.u.s. and c.u.i.s., as the following theorem shows p"| 

10 This notion is very similar to the notion of stability i ntrodu ced in Rab03 . 
"Recall the definition of T-t>MTL at the end of Section|2.2.1 



24 



Theorem 21. Let ip be a shiftable formula. 

1. {■(/'l-bMTL and bMTL are equi- satis fiable over EPRs for any 5. 

2. Ifip and -tip are c.u.s., and ^rjf[ip] = r/f^^/j] f or a M then all {^j-bMTL 
formulas are c.u.s. 

3. If, for all tfj' € rjf [tp] (where rjf is the preimage of rjf ), ip' and -tip' are 
c.u.i.s., and ~ [ Tjf[>p'] = vfi^^'] f or a ^ then all rjf [?/>]-bMTL formulas 
are c.u.i.s. 



Proof. (|lj). Every {^}-bMTL formula <p can be flattened into a bMTL formula 4> 
by introducing an auxiliary propositional letter a that replaces every occurrence 
of ip and is declared to be logically equivalent to if) itself. Since ip is shiftable, 
b £ BPR S implies b^ 3 € BPR S ; also, tf) 3 e BPK S implies b € BPR S because b 

has no more transition points than b^ 3 . Hence cj> and <j) are equi-satisfiable. 

([2]). Let 4> be any formula in {^}-bMTL, and consider a behavior b 6 BPTg 
such that b |=ir <j>. Let tj> denote the bMTL formula obtained by replacing every 
occurrence of if) in <j) by a fresh proposition a £ V, and let fa be (f> A (a ?/>)• 
Clearly, b^ 3 |= B 0°, and b^ 3 £ BPTg as we showed in (jlj). Since is flat, it is 



c.u.s. from Theorem 



15 



b^ 3 



Notice that: 



hence b' |=z rjf [fa where 6' = a s 

rjf [a Oip] = rjf [a A ijj V ^a A -1^1] can be written as a A rjf [fa V ^a A -^[^i]. 
From the c.u.s. of both ijj and -^ip and the fact that ->r]f['ip] = ?7*[^V'] we have 
?/f [a V] = a 7?f [^] and b' \=% a rjf[ip\. Let 0' be obtained from rjf [0] 
by substituting every occurrence of a with ^[V 7 ]- Hence, 6' |=z 0', which proves 
that <f> is c.u.s. 

{3}. All similar to (jip, by noticing that 7yf[V>'] = ^ for all ^' G rjf^bP] b Y 
definition of preimage. □ 

3.4.2 LTL is Nestable 



Theorem 21 is applicable to a significant class of MTL formulas, namely quali- 
tative formulas. Indeed, LTL formulas are shiftable{3 

Lemma 22. All LTL formulas are shiftable. 

Proof. Let us consider any non-Berkeley behavior b G BPF$ and any LTL for- 
mula <f>. By induction, we prove that r(6^) C r(b) which subsumes the lemma. 

The base case 4> = p is trivial. The case 4> — -^fa follows from the inductive 
hypothesis t(6^, 1 ) C t(6) because r(6^ 1 ) = r(6-,^, 1 ). 

Let us consider <f> = U(fa, fa); we consider b' = b^l^ and prove that r(b') C 
t(6). To this end, let us first take any t such that b'(t) |=k </>; hence 6(d) fa 
for some d>t, and 6(it) </)i for all u € [t, <i). The semantics of the qualitative 
until entails that b'(t') |=r holds for all t < t' < d. Then, <f> cannot become 
false after d until fa or fa becomes false; similarly, <f> cannot become false before 
t unless fa becomes false. A dual argument shows that the same holds for -up. 
This establishes that r(b') C r(b). 

The last case that has to be considered is <f> = <t)\f\fa. This is straightforward 
from the inductive hypothesis on fa and fa: tQ)^) C t(&) and tQj^) C t(&). In 



"Note that non-strictness of LTL operators is necessary to have shiftability. 
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addition, t(^ iA 2 ) C r(6^ 1 ) U r(b^ 2 ) from the semantics of conjunction, hence 
T{b<j>) C r(6). It is simple to check that b^ G ,6PT<5 as well, because no left- and 
right- discontinuity can occur in as a result of applying conjunction. □ 



Based on the previous lemma, the following corollary of Theorem 21 shows 
that any LTL qualitative formula can be nested within bMTL formulas without 
losing c.u.s. 

Corollary 23. All LTL -bMTL formulas are c.u.s. 

Proof. The proof goes by induction on the nesting depth (i.e., the maximum 
number of nested modalities) of LTL formulas. For any integer k > 0, let LTL fe 
denote the set of all LTL formulas of nesting depth k. 

The base case is for any flat LTL formula tpi £ LTL 1 . rpi is shiftable from 



Lemma 22 ip-y and ->ipi are both c.u.s. from Theorem |15| (because —*ipi can also 
be written as a flat formula); one can check that = vf'^^i] by pushing 

negations down to propositional letters. So all LTL 1 -bMTL formulas are c.u.s. 
from Theorem [2T1 

Let now ipf. € LTL fe be any LTL formula of nesting depth k > 1. ipk 



is shiftable from Lemma 22 ipk and —*ipk are both c.u.s., because they can 
both be written as LTL fc_ -bMTL formulas, all of which are c.u.s. by inductive 
hypothesis; one can also check that ^r]f[ipk] = ^jfHV'fc] by pushing negations 
down to propositional letters and using the in duc tive hypothesis again. So all 



LTL fc -bMTL formulas are c.u.s. from Theorem 21 □ 



A similar corollary for c.u.i.s. cannot be obtained along the same lines, due to 
the transformation of until and its dual release under the canonical adaptation 



4 Verification via Sampling 

The notion of sampling invariance defines rigorously the connection between the 
non-Berkeley dense-time semantics and the discrete-time semantics of MTL, un- 
der the sampling relationship. On the one hand, this allows the formal descrip- 
tion — by means of temporal logic formulas — of systems where dense-time and 
discrete-time components evolve in parallel, and communicate through a sam- 
pler. In addition, the theory of the previous sections can spawn several derived 
results that facilitate the analysis of real-time systems at the interface between 
discrete and dense time. For instance, the notion of sampling can be used to 
describe system refinements from a "physical" dense-time model — close to a 
"real-world" physical description — to a more abstract discrete-time model — 
which is implementable on digital hardware. 

This section investigates another significant application of the notion of sam- 
pling and sampling invariance. Namely, it builds a verification technique for 
dense-time MTL based on discretization. The intuition is that, in order to an- 
alyze the behaviors induced by a set of dense-endpoint bMTL formulas, their 
discrete-time samplings are analyzed instead. The results about sampling in- 
variance allow us to move the results of the discrete-time analysis back to the 
dense-time domain, under some restrictions. 
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The following Section |4~l"1 shows how to build discrete-time under- and over- 
approximations of any bMTL formula. The over-approximation embodies dis- 
crete-time behaviors that are preserved into dense time, whereas the under-ap- 
proximation represents discrete-time counter-examples that are preserved into 
dense time. Together, they allow a partial reduction of dense-time satisfiability 
for bMTL over non-Berkeley behaviors to dense-time MTL satisfiability. In order 
to perform system verification — i.e., checking if a given system satisfies certain 
putative properties — the under- and over-approximations of formulas can be 
combined to build two instances of the verification problem in the form of two 
validity checking problems for discrete-endpoint MTL formulas. This procedure 
is shown in Section |4.2| Finally, Section |4.3| comments on a few key issues of 
this verification procedure, in particular its strengths and weaknesses from a 
mostly practical viewpoint. 



4.1 Under- and Over- Approximations 

The over- and under- approximation functions Q s , O s are mappings from dense- 
endpoint bMTL formulas to discrete-endpoint bMTL formulas, parametric with 
respect to a sampling period 5. Given a bMTL formula <f>, £lg[<j>] and O $[(/>] retain 
some properties of the discrete-time samplings of the dense-time behaviors in 
BPRs satisfying <f>. Correspondingly, it is possible to infer the validity of </> over 
dense time from the validity of its approximations. For reasons that will become 
apparent shortly, f2^[<^] is named under- approximation of <p and 5 [<^] over-ap- 
proximation. Unsurprisingly, Q,$, O s are closely related to canonical adaptations 
rjf", rjf; in particular the over- approximation is a sort of inverse of the mapping 
rjf. Their precise definition requires the introduction of the notion of granularity. 



4.1.1 Granularity 

For an MTL formula cf>, let 2^ = {rt/Ri}i be the set of all non-null, finite 
interval end-points appearing in <f> and put in their irreducible form{^] The 
granularity p<j, of <j> is defined as the pair: p^ = (r^, R$) — (gcd^ fj, lcm.; R 
Correspondingly, let us consider the set 2?^ of rationals 



* j ■ 



V, 



d\r^ and R^\D 



It can be shown that, for any positive rational S and q G T^, q/S is an integer 
iff 5 G 2?^; i.e., T)^ is the set of sampling periods 5 such that any interval bound 
in <j) is an integer when divided by S. Notice that has a maximum (given by 
r^/R^) but no minimum. Finally, for a set of formulas $, 2?$ is defined as T>^ 

where % = ip. 



4.1.2 Under- Approximation 

The under-approximation function tt g maps dense-endpoint MTL formulas to 
discrete-endpoint MTL formulas such that the non- validity of the latter implies 
the non-validity of the former, over behaviors in BPfs- More precisely, flg[4>] 



2.2.1 1 



^Recall that all finite endpoints are rationals (Section 
'Recall that a\b denotes that b is an integer multiple ot a 
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is defined only for MTL formulas such that 8 is in P^, where it coincides with 
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The following lemma justifies the name under- approximation. 

Lemma 24 (Under-approximation). For any dense- endpoint bMTL formula 4>, 
5 G X> 0; and b G BPZ: ifb ft 5 [0] then for all b' G BPR S such that a SfZ [tf] = b 
it is b' |^=r 0. 



Proof. is a dense-endpoint bMTL formula, hence it is c.u.s. from Theorem 15 
for any b G BPRs, if \=r then u 5 z [6] \=% f]f[4>]- By taking the contrapositive, 
and by noticing that rjf' and £l s coincide when they are both defined, we have 
that for any b G BPR S , if a Sz [b] ^ z fij0] then b |£ R 0. □ 

4.1.3 Over- Approximation 

The over-approximation function maps dense-endpoint MTL formulas to 
discrete-endpoint MTL formulas such that the validity of the latter implies the 
validity of the former, over behaviors in BPFg. More precisely, O 5 [0] is defined 
only for MTL formulas such that S is in , where it is a pseudo-inverse of rjf . 



o 5 



01 A 2 ] 
01 V 2 ] 



R [l/6-l,u/ S+ l](°s[4>l],0 S [fa}) 
Tp/i-i^+^O^l], (>,[&]) 

O 5 [0i]AO,[0 2 ] 



The following lemma justifies the name over-approximation. 

Lemma 25 (Over-approximation). For any dense-endpoint bMTL formula 0, 
5 G 2?0, and b G BPZ: ifb |= z O s [<j>] then for all b' G BPRs such that a^Jb'} = b 
it is V |= B . 0- 

Proof. If is a dense-endpoint bMTL formula, then 0,5 [0] is a discrete-endpoint 



bMTL formula. Hence the latter is c.u.i.s. from Theorem 15 for any b G BPZ, if 
b ^ z O s [0] then b' |= R rjf [OJ0]] holds for all 6' G SPRa such that 6 = o-^fc']. 

One can check that the dense-time validity of the formula rjf [O 5 [0]] => is 
guaranteed by the definitions of r/f and 0,5. In particular, r/f o 5 is an identity 
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for release (and trigger) operators with closed intervals. On the other hand, 
Vs ° ®S yi e lds stronger formulas for release (and trigger) operators with open 
intervals and for until (and since) operators. The latter holds also from the fact 



that 



Vs 



U [i,«]( 7r i' 7r 2) is U| (; _ 1)( 5 i(u+1)(5) (7ri,7r2). It is easy to check that these 
properties of basic operators can be lifted to whole formulas by application of 
straightforward propositional identities on the negation normal form in which 
MTL formulas are expressed. In all, b' |=r rjf [O s [<j>]] implies b' fa □ 

4.2 MTL Verification 

In the formal timed setting, verification consists in checking whether all behav- 
iors generated by a system model (usually called specification) satisfy some given 
putative property (usually called requirements) [HM96 . Assume that both the 
specification and the requirements are formalized as MTL formulas fa ys and 
prop , respectively. Verification of fa ys against prop is equivalent to checking the 
validity of the dense-endpoint MTL formula </> V erif = Alw(</> 5ys ) Alw((/> prop ). If 
fa er \f is valid, any behavior of the system also respects the requirements; i.e., 
we have checked that [</> sys ]iFi, C [0 prop ]R. On the contrary, if fa erl f is not valid, 
there exists at least one behavior of the system that violates the requirements; 
i-e-, [4ys]E n [-"^proplE is not empty so lfa ys j R % \fa mp \n- 

In this section, we describe a verification algorithm that is applicable to spec- 
ifications and requirements in bMTL over non-Berkeley dense-time behaviors. 

The algorithm is based on the following. 

Proposition 26 (Model approximations). For any bMTL formulas fa, fa, and 
for any 5 £ T> {(j>1 ^ 2 }: 

1. if k\w(Vt s [fa]) Alw(0 5 {fa]) is Z-valid, then Alw(fa) => Alw(fa) is 
R s -valid; 

2. if Ahv(O s [fa]) => Alw(fi 4 [0 2 ]) is not Invalid, then Alw(fa) => Alw(fa) is 
not R s -valid. 

Proof. Q. Let S £ T> {<f , u<f>2 y Assume that Mw(Sl s [fa]) =4> Alw(O (5 [0 2 ]) is 
Z-valid. That is, for all b £ BP7L it is b ^ z or b \= z O s [fa]. From 



Lemmas [25] and 24 this implies that for all b £ BPL, for all b' £ BPR$ such 
that o~ s [&'] = 6, it is either b' fa or b' \= R fa. Since a s is total, for any 
b' £ BPRs there exists a b £ BPE such that a s z [b'] = b. We conclude that for 
all b' £ BPR S , either b' ^ K fa or b' \= R fa; i.e., Alw(0i) =>■ Alw(fa) is R^-valid. 
Proof of ([2]) is obtainable from the proof of by duality. □ 

4.2.1 Verification Algorithm 

Proposition [26] suggests to introduce the following notation. Given a set of 
formulas $ 5y5 = {fa 5y5 }i such that fa ys — /\ i A\w(fa sy5 ) represents a formal model 
of the system, and a formula </> pro p that represents a formal statement of the 
requirements, let us define the discrete-endpoint formulas: 

4>° 4 /\Alw(n tf [^]) Alw(O 5 [0 prop ]) 

i 

fa 1 4 /\Alw(O 5 [0y) =4- Alw(Q^ prop ]) 
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Let us call <j>° and <fP over-model and under-model of the system, respectively, 



(in analogy with Lemmas 25 and 24 ) because the former preserves validity and 
the latter non-validity. 

A verification algorithm for systems and properties specified as dense-endpoint 
bMTL formulas can be formalized as follows, where Z-VALID? is a validity- 
checking procedure for discrctc-cndpoint MTL formulas. 



bMTL-VERiFY(<5 : R >0 , S 

1 assume 5 £ T>^ U {^ 
° <- A,Alw(0 ' 



= j>Lh><W : bMTL) : {T, _L, fail} 



^^-A 4 A1w(0, 

if Z-VALID?0°) 

then return T 

else if ^Z-valid?^) 
then return _L 
else return fail 



sys \ S^sys J « ) Vprop 

")=> Alw(O,[0 prop ]) 

) => A\w(n s [(j) prop ]) 



> 0° valid over discrete time? 

> verification over EPFs successful 



[> 



a 2 



not valid over discrete time? 



> verification over BPTs not successful 

> cannot conclude any verification result 



The correctness of the algorithm follows directly from Proposition [26j keep- 
ing in mind that b \=i Alw(^i) A Alw(^2) iff b |=t Alw(V'i) and b |=t A1w(-02). 



4.2.2 Incompleteness 

A verification algorithm is complete if, for any input, it terminates with a con- 
clusive result about whether the given requirements prop are indeed a property 
of the system ^> sys or not. 

The verification algorithm for bMTL we provided above is incomplete, as it 
can fail to provide a conclusive answer about whether <^ prop is indeed a property 
of all behaviors of the system (j> sys . The incompleteness is two-fold. First, the 
algorithm does not consider all dense-time behaviors BPK, but only those in 
BPfils, i-e., "slow" with respect to some chosen sampling period 8. Hence, it 
may be that <fi prop does not hold for some "real" behavior of the system which is 
"fast", i.e., for some behavior in [</> sys ]R \ [^sIr- Second, the under- and over- 
model cfPjip are in general non- equivalent discrete-endpoint formulas. Hence, 
it is possible that <fi° is not valid and <p Q is valid; if this is the case no conclusion 
about the verification of the system can be drawn. 

Since the algorithm is parametric with respect to 5, smaller values of 5 
can be tried in order to avoid the incompleteness hurdle. Changing the value 
of 5 affects the verification problem in two ways: more ("faster") behaviors 
are considered for verification, and new under- and over-models are generated 
that represent a "finer-grain" discretization of the original problem. These two 
aspects interact in subtle ways because they change the verification problem 
from two opposite sides. By combining them, one may expect to achieve at 
least the following partial notion of completeness: if </> prop is a property of 4> sys 
over behaviors in BPKs for some choice of 8, then there exists a suitable choice 
of 8 such that bMTL-VERiFY((5, </> sys , </> pra p) returns T; and conversely when prop 
is not a property of (/> sys . Unfortunately, the following example shows that even 
this weaker notion of completeness is not achieved by the algorithm. 

Example 27 (Incompleteness of the algorithm). Consider a simple set of be- 
haviors completely described by formulas in Table [2] It should be clear that 
all behaviors b £ [Alw^ 1 ^) A A1w(05 Y5 )]r of the system are such that p holds 
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on some interval V = (t, +00) and holds on the complement interval E, \ V 
(which is unbounded to the left). Hence, any such b satisfies property </> pra p and 
is in BPRs for any S. 

'Asys = Som(p) A Som(^p) 
= P^°(P) 

^prop = P^O=l(p) 

Table 2: 3> sys and prop . 



Table [3] shows the over- and under-models of this system for any <5 G 
sU{0 prO p} — I ^ S -"^>o}: after some simplifications (in particular [4> 2 ys \ 
= npVDrj +oo j (p) is equivalent to the formula in Table|3|under the global satis- 
fiability semantics). It is simple to check that, for any value of S, the over-model 
(j>° is not valid because Alw(0 5 [^ prop ]) contradicts Ah?(fl 5 [4>l ys ] ) ■ Also for any 
value of S the under-model (jP is vacuously valid because Alw(O l5 [0s ys ]) is in- 
consistent with Alw(0 5 [0s ys ] ) • In all, we cannot verify our system with our 
algorithm, no matter what value of sampling period we choose. 



9. t 



rsys 

¥ 

rsys 
-'prop 



= Som(p) A Som(^p) O,, 
= P^n( P ) O, 

= P^o =fe ( P ) o, 



"sys 

b 2 
J sys 



Som(p) A Som(-ip) 
Alw(p) V Alw(-ip) 



Table 3: Under- and over-models of ^sys, ^prop for £ = 1/fc. 



In spite of its incompleteness, in the next section we discuss why the verifi- 
cation algorithm can still provide practically very useful results. 

4.3 Discussion 

In related work, we proved that MTL is fully decidable over dense-time non- 
Berkeley behaviors BPRs for any 6 [FR08 , with the same worst-case complexity 
as discrete-time MTL; hence an incomplete decision procedure may seem im- 
practical. In this section we demonstrate that this is not the case, and we 
discuss how the impact of incompleteness can be limited in practice with the 
application of a few good practices. 

First of all, the decision procedure for MTL over BPRs — the only one cur- 
rently available |FR08| — relies on a rather exotic decision procedure, which 
translates MTL to a family of uncommon decidable real-time temporal logics 
introduced by Hirshfeld and Rabinovich HR04]. The decision procedures for 
such logics have never been implemented, and seem quite complex in practice. 
More generally, the practical high complexity of deciding temporal logics over 
dense-time domains is witnessed not only by theoretical results, but also by the 
current scarcity of state-of-the-art tools that implement such decision proce- 
dures. Even the well-known real-time temporal logic MITL, whose decidability 
over dense time is known since the seminal work of Alur, Feder, and Henzingcr 
AFH96 , still lacks an implementation, despite the recent efforts towards sim- 
plifying its decision procedure [HR05, MNP06 . 
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Compare this unsatisfactory picture to the vastly different scenario of (real- 
time) temporal logics over discrete time, where a significant number of off-the- 
shelf effic ient verification tools are available (e.g., |PMS07l lBMP+071 IPSSM031 
ICCG+02|lDDMR09j just to mention a few for LTL/MTL). This suggests that a 
dense-time verification procedure based on discretization is very appealing from 
a practical viewpoint, because it can be implemented easily and it can rely on 
solid and scalable implementations. In fact, in related work |FPR08al ]FPR08b , 
BFPR09 we presented the straightforward implementation of the verification 
procedure described in this section, and we demonstrated its practical efficiency 
with a few non-trivial verification examples. 

The same examples also show that the flat fragment of MTL retains (under 
the global satisfiability semantics) a significant expressive power, suitable to 
formalize typical behaviors of real-time systems. For example, it is possible to 
describe runs of arbitrary timed automata or bounded time Petri nets over non- 
Berkeley behaviors. The formalization in flat MTL of these complex abstract 
machines is far from straightforward and requires a careful analysis to avoid 
inconsistencies. However, the experience of |FPR08al IFPR08bl IBFPR09] can 
be leveraged and extended to similar systems described by means of the notions 
of state and transition. 

Even the incompleteness of our verification algorithm turns out not to be 
too large a handicap in practice. More precisely, the fact that equivalent 
dense-endpoint formulas can yield nonequivalent discrete-time under- or over- 
approximations can be turned into an advantage: with some additional effort 
in writing the dense-time model of our system, we can often express it in a 
form whose over- and under-models are unaffected by incompleteness. This ef- 
fort can in general be non-trivial, but it can give very good practical results 
nonetheless. The following example provides a few in-the-small demonstra- 
tions of our claims, whereas more complex cases have been introduced elsewhere 
[FPR08b[lBFPR09l . 



Example 28. Let us go back to Example 27 and change formula (f>^ ys into V'sys = 
p D >(5 (p), according to the chosen sampling period S. A little reasoning 
should convince us that A\w((j>s ys ) is equivalent to A\w(ipsy S ) over behaviors 
in BPKs ■ if P holds at some time t as well as over the left-closed interval t © 
[S, +00), it cannot be false anywhere in (i, t + S) because this would violate the 
hypothesis of non-Berkeleyness for the given 5. Let us take our system model to 
be $ sys = {</>s ys , V'sysl; an d let us build its over-model $° s . Notice that 5 [?/>5 y5 ] 
can be computed as p => d(p); unlike O s [</>s ys ] , this is an accurate discrete-time 
rendition of the dense-time model. It is now possible to prove that <fi is Z- valid 
for any S = 1/k, which verifies our system over dense time. 

Let us now turn our attention to property prO p in Example 27 It should be 



apparent that its over-approximation O s [4> prop ] = ^p is very unsatisfactory, and 
it is unlikely to yield valuable results when used in an under-model. Consider 
however formula (f>' prop = p =>■ a =1 (p); 4>' prop is trivially equivalent to <f> pmp . 
However, its over-approximation is the much more reasonable p fe+i](p) 
which is non-trivially satisfiable for any k > 1. 
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5 Related Work 



The relationship between dense and discrete real-time semantics has been in- 
vestigated by many authors. In this section we mention the approaches that 
are closest to ours, and we detail the most significant differences and relative 
merits. 

The seminal paper by Henzinger, Manna, and Pnueli |HMP92j is both the 
first and the best-known work dealing with the theme of dense vs. discrete real- 
time through the notion of digitization. Given the significance of this notion, 
Section [5.1| is devoted to a detailed summary of it, as well as to a comparison with 
sampling invariance. Section |5.2| succinctly describes other related work about 
the relation between dense and discrete time models for real-time formalisms. 
Finally, briefly widening the scope beyond real-time notations, the results of this 
paper seem to bear a connection with the classical theory of digital sampling 
(e.g., |BF01j ). Section 5.3 sketches a partly formal analysis of this alleged link. 



5.1 Comparison with Digitization 

Similarly to the notions of sampling and sampling invariance — introduced in 
Section [3] — the notions of digitization and digitizability [HMP92J link dense- 
and discrete-time real-time semantics. The main purpose of digitization is to 
provide a means to reduce the verification problem from the richer dense-time 
semantics to the simpler discrete-time one. This section recalls the formal defi- 
nition of digitization and digitizability and compares them against the notions 
of sampling, sampling invariance, and discrete-time approximations introduced 
in this paper. 

There are two fundamental high-level differences between the frameworks 
of digitization and sampling; bridging them is necessary to carry out a formal 
comparison of the notions. First, our framework considers dense- and discrete- 
time behaviors as semantic structures, whereas digitization is defined for dense- 
and discrete-valued timed words. A timed word is a discrete sequence of times- 
tamped events, such that every event is assumed to occur at the absolute time 
value of its timestamp. Second, sampling invariance is a syntactic notion (i.e., it 
is a property that applies to formulas), whereas digitizability is a semantic no- 
tion (i.e., it is a property that applies to sets of timed words). Let us introduce 
formally these ideas and the precise notions of digitization and digitizability. 

Definition 29 (MTL timed word semantics). An (infinite) timed word over V 
is an w-sequence (<7o, io)(°ii t\) • • • (er^, ti) ■ ■ ■ in (V x T) w , such that the sequence 
of timestamps £j is weakly monotonic and diverging. According to whether T 
is a dense (typically R>o) or discrete (typically IN) set, the timed words are 
named dense- or discrete-valued. 

MTL semantics over timed words is defined as expected: given a timed word 
p, a position ieB, and an MTL formula <f>, we write p, i \= <j) iff p satisfies <f> at 
position i. The definition of the modalities is: p, i \= U j(4>i, </>2) iff there exists 
j > i such that tj £ ti® I, p,j \= </>2, and p, k \= (f>i for all i < k < j; and 
p, i |= Rj(4>i, 4>2) iff for all j > i such that tj G ti® I, it is p, j |= (j>2 or p, k |= 4>i 
for some i < k < j. Then, p |= <p iff p, i |= <f) for all i € INp*| Given a formula </>, 

15 The digitization paper | HMP92| assumed an initial satisfiability semantics, but we adopt 
a global satisfiability semantics to allow a uniform comparison with sampling invariance (see 
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((</))) t denotes the set {p \ p \= <f>} of T- valued timed words that satisfy 4>. 



Definition 30 (Digitization and digitizability) . Given a timed word p = {(er.j, f,-) 
i £ IN} and a fractional value < e < f, the e- digitization of p is defined as 
the discrete-valued timed word [p] e = {(<7i, [ti] e ) | i G IN}, where [t] e is |_*J if 
t < L^J + e ' ano - T^l otherwise. The digitization of a set of timed words II is the 
set [II] of discrete- valued timed words defined as {[p) e | p £ II and < e < 1}, 
i.e., the set of all possible digitizations of words in II. 

A set of timed words II is: (I) closed under digitization (c.u.d.) iff p £ II 
implies [{p}] C II; (2) closed under inverse digitization (c.u.i.d.) iff [{/?}] C II 
implies p £ II; (3) digitizable iff it is c.u.d. and c.u.i.d. Correspondingly, an 
MTL formula 4> is c.u.d., c.u.i.d., or digitizable, iff 



For digitizable properties, discrete-time verification completely captures dense- 
time verification; more precisely, if a system specification is closed under digiti- 
zation, and the requirements are closed under inverse digitization, the problem 
of determining if the specification meets the requirements is perfectly reducible 
to the discrete-time case. However, it is difficult to characterize a significant 
syntactic subset of MTL formulas that are digitizable, and in fact only a few ex- 
amples are given in HMP92 . Moreover, digitization exploits weakly-monotonic 
timed word to ensure that no dense-time event is lost when digitizing a dense- 
valued timed word; this is why no notion similar to non-Berkeleyness is intro- 
duced. 

The following example shows that digitizability and sampling invariance de- 
fine incomparable classes of MTL formulas, i.e., there exist sampling invariant 
non-digitizablc formulas, as well as digitizable non sampling-invariant formulas. 
This demonstrates that the two notions have different angles, and it suggests 
that techniques for discrete-time verification of dense-time MTL formulas based 
on these two orthogonal notions may each have its own complementary strengths 
and weaknesses. 

Example_31. For h £ JN >0 , let 9| nd be the bMTL formula p <ft (q) 
Theorem 
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proves that 9™ d is s.i. Let us show that 9™ d is instead not 
c.u.d., hence neither digitizable. Take any timed word a = ■ ■ ■ (p, fc)(q, k + h — 
1 + p)(q, k + h + fi) ■ ■ ■ with k £ IN, < fi < 1, and such that p does not 
occur anywhere else. Any e-digitization of a for e < p has the form [<r] e = 
• • • (p, fc)(q, k + h)(q, k + h + 1)---. Hence 9^ nd is not c.u.d. because a \= 9^ nd 
but [cr] e y= 9 s h nd for any such e. 

For h £ M> , let 9^ ns be the MTL formula Som(p A Q{^p))Atp h: where ip h 



has been defined in Example 19 It is not difficult to show that Som(p A 0(^p)) 



is unsatisfiable in the timed word semantics, hence 9 dns is trivially digitizable. 
Let us show that 9 dns is instead not c.u.s., hence neither s.i. Take the same 
behavior c £ BPKh of Example [l9j where we further assume that V is a right- 
closed interval (see Figure p ) . c |=r 9 dns because Example [l9| showed that 



iph and p A O(^P) holds at the right end-point of V. However, Example 
also proved that a h , z {c] |£z bkh]> so a h>z [c] ^ z rjf- [9^ 11S ] as well. Hence, 
' ls is not c.u.s. 



Section |2.2.2[ |; it should be clear that this is without loss of generality. 
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5.2 Other Work on the Relations between Dense and Dis- 
crete Time 

The introduction of the notion of digitization has spawned much derivative work, 
where the notion is applied to various formalisms. Several authors considered 
digitization for automata-based real-time formalisms, especially timed automata 
[BER941 IBos99l IMP951 IBMT991 IBLN031 IOW031 ICLT07] . Others studied how 
the decidability and complexity of standard verification problems for timed au- 
tomata (esp. reachability) change when moving from a dense- to a discrete-time 
semantics, such as in |GP V941 IKP05] . Asarin, Maler, and Pnueli |AMP98j in- 
vestigated instead to what extent qualitative behavior of digital circuits (which 
can in turn be modeled as timed automata . MP 9 5] ) is preserved in a sampled 
discrete-time semantics. The focus of all these works is to determine to what 
extent the computationally simpler discrete-time semantics can be substituted 
for the dense-time semantics for automated verification. 

The notion of digitization has been applied also to descriptive notations, 
such as real-time temporal logics and process algebras. In the latter category, 
Ouakninc studies digitization for timed CSP [Oua02 ; his main contribution is 
the proof that all CSP are closed under inverse digitization, hence they can be 
modcl-chcckcd over dense time by considering just their discrete-time semantics. 

Among temporal logics, the digitization of duration calculus (DC) and its 
variants has been studied in several works. Van Hung and Giang consider stan- 
dard duration calculus and a slight generalization of digitization called sampling 
HG96 . Their work is focused on providing inference rules that allow one to 
infer the validity of dense-time formulas from the validity of sampled discrete- 
time formulas and vice versa. Another similarity with our approach is that 
they consider ^-stability: a constraint similar to non-Berkeleyness that relates 
the "speed" of signals and the sampling period S. Unlike non-Berkclcyncss te- 
stability is asymmetric, in that whenever a proposition switches to true it must 
hold its truth value for more than 6 time units, but it is not required to do so 
when it switches to false. 

Pandya et al. also have applied the notion of digitization to DC, with the 
aim of developing efficient dense-time verification techniques based on discretiza- 
tion. Their overall approach consists of two parts, and it has been shown to 
be applicable to MTL as well |Pan08j . In the first part |CP03j . the notion 
of digitization has been applied to IDL (Interval Duration Logic) a DC vari- 
ant whose formulas are interpreted over timed words. Given that a syntactic 
characterization of closure under inverse digitization for IDL formulas is hard 
to achieve, a new notion of strong closure under inverse digitization (SCID) is 
introduced. SCID eases the problem because it is straightforward to determine 
if an IDL formula is SCID, and SCID entails closure under inverse digitization 
in the standard sense. For formulas that are not SCID, approximations of for- 
mulas are introduced. In the second part [PNL07| . the richer semantics of DC 
(based on behaviors) is reduced to the timed word semantics of IDL through 
two approximation mappings a + and oT . a + and a~ play a role similar to our 
over- and under- approximations O s ,Q s , in that a + preserves non- validity and 
a~ preserves validity from the sampled to the dense-time semantics. Unsurpris- 
ingly, the resulting verification technique is incomplete, as DC is undecidable 
over dense time. 

De Alfaro and Manna considered the problem of discretization for the pred- 
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icate temporal logic TL dM95j . Their results are based on the semantic notion 
of finite variability: informally, a formula <f> is finitely variable if, for any timed 
word, one can find a refined "ground" timed word such that any subformula of 
4> has a constant truth value within any interval of the refined word. For finitely 
variable formulas over ground traces, the satisfaction relation of a formula 4> 
in the dense-time semantics corresponds to that of fl(<j)) in the discrete-time 
semantics (where f2 is a given translation function). Some sufficient syntactic 
conditions for a formula to achieve the finite variability requirement are in- 
troduced; based on these, a methodology for dense-time verification through 
refinement to discrete time is proposed. 

Fainekos and Pappas FP07a, FP07b] present a technique for testing speci- 
fications written in MITL (an MTL subset) against continuous-time signals by 
analyzing only discrete samplings of the signals. Their technique shares underly- 
ing motivations and ideas with ours, although the two approaches have comple- 
mentary scopes: our results bridge the gap between the dense-time non-Berkeley 
semantics and the discrete-time semantics for MTL, whereas Fainekos and Pap- 
pas discover concrete and practical conditions under which the continuous-time 
behavior of a dynamical system can be analyzed by means of its discrete-time 
observations. 

5.3 The Sampling Theorem 

The sampling theorem [BF01] states sufficient conditions for which no infor- 
mation loss occurs in the digital sampling of a continuous-time signal. A 
continuous-time signal s is a mapping s : R — > D where D is some — usually 
dense — codomain. B s denotes the bandwidth of s, that is its highest frequency 
in sFj Using the notation of Section [3J the sampling of s with sampling period 
S is the discrete-time signal as,a [s] ■ The sampling theorem states that s can be 
perfectly reconstructed from ct^oH for any 8 < l/(2B s ). 

A number of similarities between this fundamental theorem of signal the- 
ory and the results of this paper are apparent. In particular, the requirement 
on the relation between bandwidth and sampling period is reminiscent of the 
non-Berkeleyness requirement, so that the results of this paper might seem a 
consequence of the sampling theorem. Our dense-time behaviors BPR can indeed 
be modeled as continuous-time signals over range [0, 2' 7 '']. However all of them 
have infinite bandwidth because of the discontinuities corresponding to transi- 
tion points, regardless of whether they are non-Berkeley or not. Hence the sam- 
pling theorem cannot strictly be applied to Boolean-valued signals. Nonetheless, 
a connection between the theory of sampling and the theory of this paper exists, 
as we demonstrate in the following. 

Example 32. Consider a simple unary alphabet {p} and a single behavior 
b such that p holds over E, >0 and does not hold over K, <0 (we disregard the 
value of p exactly at 0). b corresponds to the signal s : R — > [0, 1] defined 
as s(t) = H{t) where H denotes the usual (Heaviside) unit step function (see 
Figure[4]). b can also be described perfectly by the MTL formula /3 = "tT >0 (-ip)A 
□ >0 (p) evaluated at the origin. The discrete-time MTL formula f3' = rfg\0\ = 
tT >1 (-ip) A □ >1 (p) characterizes discrete-time samplings of b according to our 

16 The highest frequency is defined as the largest nonzero value for which the Fourier trans- 
form F[s] of s is non-zero. 
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Figure 4: Signals s(t) (in gray) and s(t) (in black). 

theory. j3' can be seen as describing some dense-time behaviors in BPK$ through 
their samplings: all behaviors such that p holds over R>a and it does not hold 
over ]R<_,5. Hence, the sampling has introduced an information loss in the 
formula about where exactly p switches within (—6, S). If we try to reconstruct 
s from its digital sampling according to the classical theory, we notice that we 
introduce a similar information loss. In fact, let s : 1R — > [0, 1] be the continuous- 
time reconstruction of c^oH built with the Whittaker-Shannon interpolation 
formula, i.e., (i(t) — J2kez <J s,o[s](k) sinc((f — kS)/S). As it can be seen in Figure 
[4j s coincides almost perfectly with s over R<_5 U R>5 (the residual errors are 
only due to numerical approximations), whereas it deviates significantly within 
(—5,6) due to the information loss introduced with sampling (it passes right 
through the origin only as a result of symmetry) . In this sense information loss 
for Boolean-valued signals are similar in our theory for MTL and in classical 
sampling theory for signals. 

6 Conclusion 

In this paper, we presented an approach to relate dense-time MTL formulas 
to some discrete-time counterparts (and vice versa). We exploited the result- 
ing relationship to define a technique for the verification through discretization 
of systems described as dense-time MTL formulas. The verification technique 
is inherently incomplete, though in practice it has yielded promising results 
[FPROSal iFPROSbl lBFPR7)9] . 

In the future, we plan to apply the notion of sampling presented in this paper 
to the synthesis of software components of real-time systems from continuous- 
time specifications. We will also further investigate the properties of the ver- 
ification technique presented in Section [4j in particular to better characterize, 
and possibly reduce, the scope of its incompleteness. 

Acknowledgements. We thank the anonymous reviewers of the ACM Trans- 
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